Page 153 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 153

business functions or services, it does increase potential risk by
               expanding the potential attack surface and range of vulnerabilities.

               SLAs should include a focus on protecting and improving security in
               addition to ensuring quality and timely services at a reasonable price.
               Some SLAs are set and cannot be adjusted, while with others you may
               have significant influence over their content. You should ensure that
               an SLA supports the tenets of your security policy and infrastructure
               rather than being in conflict with it, which could introduce weak
               points, vulnerabilities, or exceptions.



               Compliance Policy Requirements

               Compliance is the act of conforming to or adhering to rules, policies,
               regulations, standards, or requirements. Compliance is an important
               concern to security governance. On a personnel level, compliance is
               related to whether individual employees follow company policy and

               perform their job tasks in accordance to defined procedures. Many
               organizations rely on employee compliance in order to maintain high
               levels of quality, consistency, efficiency, and cost savings. If employees
               do not maintain compliance, it could cost the organization in terms of
               profit, market share, recognition, and reputation. Employees need to
               be trained in regard to what they need to do (i.e., stay in line with

               company standards as defined in the security policy and remain in
               compliance with any contractual obligations such as Payment Card
               Industry Data Security Standard (PCI DSS) to maintain the ability to
               perform credit card processing); only then can they be held
               accountable for violations or lacking compliance.


               Privacy Policy Requirements


               Privacy can be a difficult concept to define. The term is used
               frequently in numerous contexts without much quantification or
               qualification. Here are some partial definitions of privacy:

                    Active prevention of unauthorized access to information that is
                    personally identifiable (that is, data points that can be linked

                    directly to a person or organization)

                    Freedom from unauthorized access to information deemed
   148   149   150   151   152   153   154   155   156   157   158